What will be the steps of integrating the windows server with netwitness 11.2. The windows server is not part of the domain but is connected in LAN and is reachable.
You can use either of these 02 options 'Microsoft WinRM Configuration and Troubleshooting' or 'Microsoft Windows using Adison Event Reporter or Intersect Alliance SNARE Event Source Configuration Guide '.
This link shows all other option for different vendors for log collection 'RSA NetWitness Platform Integrations Catalog'.
The Supported Windows versions for above 02 options are shown below :
Recommendation is to configure Windows Server/machines that you really want to collect & monitor the logs. Configure the Windows machines that don't offer much Security insights or Non critical may add up to your EPS & clutter your investigation, reporting & alerting.
One thing to note.. You must use “basic auth” when collecting from a non domain member. You can not use “negotiate”
Let me know if you run into any issues with the docs and I can give you a hand.
Hi Dave Glover
do you have the steps on this? we are trying to integrate non domain windows to our siem. What will be the setting on the log event readers group?
Yep selected the basic, it gave few errors while running the script in powers shell after correcting it was able to receive the logs.
Thank you team for the help.
Retrieving data ...